Skip to content

Instantly share code, notes, and snippets.

@henrik242

henrik242/Disable Device Enrollment Program (DEP) notification on macOS Ventura.md

Forked from sghiassy/Disable Device Enrollment Notification on Mac.md
Last active December 5, 2025 20:46
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save henrik242/65d26a7deca30bdb9828e183809690bd to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save henrik242/65d26a7deca30bdb9828e183809690bd to your computer and use it in GitHub Desktop.
Download ZIP
@jklock
Copy link

jklock commented Aug 26, 2025
edited
Loading

Throwing this one out for the homies

I recently helped out an old lady who got a second-hand computer from her grandkid and it had an MDM profile / DEP screen that stole the mouse and keyboard input. I did not wipe the machine or reinstall macOS. I used recovery mode + root account. Machine was an M1 MacBook Air running the 14.7.8 that was hard stuck at DEP enrollment (would lock you out after 10 seconds). If you want to run the script at the end, you will need to leave csrutil disabled (which I disabled as part of this exercise). Otherwise, after you validated you are back in and working, just enable it again and reboot.

Recovery Mode

##################################################################################`
# RECOVERY: unlock the Data volume, clear ADE/MDM state, block Apple endpoints,
# sync Preboot (important with FileVault), then reboot. Make sure to note diskXsY.
##################################################################################

# 1) Identify and unlock the FileVault Data (Macintosh HD - DATA) volume
diskutil apfs list
diskutil apfs unlockVolume diskXsY -passphrase "YOUR_FILEVAULT_PASSWORD"

# 2) Flip ADE state on the Data volume:
cd "/Volumes/Macintosh HD - Data/var/db/ConfigurationProfiles/Settings"

rm -rf ./.*
rm -rf ./*

touch .cloudConfigProfileInstalled
touch .cloudConfigRecordNotFound

# 3) Remove any already-installed MDM profiles from the local store (Sequoia stores them in Store/).
cd "/Volumes/Macintosh HD - Data/var/db/ConfigurationProfiles/Store"

rm -rf ./.*
rm -rf /*

# 4) Ensure Setup Assistant won’t rerun
touch "/Volumes/Macintosh HD - Data/var/db/.AppleSetupDone"

# 5) Block Apple Automated Device Enrollment endpoints
echo "0.0.0.0 deviceenrollment.apple.com" >> "/Volumes/Macintosh HD - Data/etc/hosts"
echo "0.0.0.0 mdmenrollment.apple.com"   >> "/Volumes/Macintosh HD - Data/etc/hosts"
echo "0.0.0.0 iprofiles.apple.com"       >> "/Volumes/Macintosh HD - Data/etc/hosts"

# 6) Sync Preboot with updated Data volume
diskutil apfs updatePreboot diskXsY

# 7) Reboot
reboot

Normal macOS (not recovery)

################################################################################
# NORMAL macOS: disable enrollment daemons/agents so they can’t reassert nag state
################################################################################

# 1) Disable and stop system daemons
sudo launchctl disable system/com.apple.ManagedClient.cloudconfigurationd
sudo launchctl bootout  system/com.apple.ManagedClient.cloudconfigurationd 2>/dev/null || true

sudo launchctl disable system/com.apple.ManagedClient.daemon
sudo launchctl bootout  system/com.apple.ManagedClient.daemon 2>/dev/null || true

# Present on some builds; safe even if absent
sudo launchctl disable system/com.apple.ManagedClient.enroll 2>/dev/null || true
sudo launchctl bootout  system/com.apple.ManagedClient.enroll 2>/dev/null || true

# 2) Disable and stop per-user agents
for uid in $(dscl . -list /Users UniqueID | awk '$2>=501 {print $2}'); do
  sudo launchctl disable gui/$uid/com.apple.ManagedClientAgent.enrollagent 2>/dev/null || true
  sudo launchctl bootout  gui/$uid/com.apple.ManagedClientAgent.enrollagent 2>/dev/null || true
  sudo launchctl disable user/$uid/com.apple.ManagedClientAgent.enrollagent 2>/dev/null || true
  sudo launchctl bootout  user/$uid/com.apple.ManagedClientAgent.enrollagent 2>/dev/null || true
done

# 3) Quick checks
csrutil status
sudo profiles show -type enrollment
grep -E 'deviceenrollment|mdmenrollment|iprofiles' /etc/hosts
ls -al /var/db/ConfigurationProfiles/Settings

One-time setup script:

# =====================================================================
# ONE-TIME SETUP Script baby
# =====================================================================

# 0) Root-owned place for the script
sudo mkdir -p /usr/local/sbin
sudo chown root:wheel /usr/local/sbin
sudo chmod 755 /usr/local/sbin

# 1) Create the enforcement script (no deletes; only disable + add/ensure)
sudo tee /usr/local/sbin/mdm_enforce.sh >/dev/null <<'SH'
#!/bin/sh
set -e

SETTINGS="/var/db/ConfigurationProfiles/Settings"
HOSTS="/etc/hosts"

# ---------- A) Disable/stop ManagedClient daemons (system) ----------
launchctl disable system/com.apple.ManagedClient.cloudconfigurationd 2>/dev/null || true
launchctl bootout  system/com.apple.ManagedClient.cloudconfigurationd 2>/dev/null || true
launchctl disable system/com.apple.ManagedClient.daemon 2>/dev/null || true
launchctl bootout  system/com.apple.ManagedClient.daemon 2>/dev/null || true
launchctl disable system/com.apple.ManagedClient.enroll 2>/dev/null || true
launchctl bootout  system/com.apple.ManagedClient.enroll 2>/dev/null || true

# ---------- B) Disable/stop agents for ALL real user IDs ----------
# (covers both gui/UID and user/UID; safe no-ops if not present)
USER_IDS=$(/usr/bin/dscl . -list /Users UniqueID 2>/dev/null | /usr/bin/awk '$2>=501 {print $2}')
for USER_ID in $USER_IDS; do
  launchctl disable "gui/${USER_ID}/com.apple.ManagedClientAgent.enrollagent" 2>/dev/null || true
  launchctl bootout  "gui/${USER_ID}/com.apple.ManagedClientAgent.enrollagent" 2>/dev/null || true
  launchctl disable "user/${USER_ID}/com.apple.ManagedClientAgent.enrollagent" 2>/dev/null || true
  launchctl bootout  "user/${USER_ID}/com.apple.ManagedClientAgent.enrollagent" 2>/dev/null || true
done

# ---------- C) Ensure spoof flags exist (no removal) ----------
/bin/mkdir -p "${SETTINGS}"
/usr/bin/touch "${SETTINGS}/.cloudConfigProfileInstalled"
/usr/bin/touch "${SETTINGS}/.cloudConfigRecordNotFound"

# ---------- D) Keep Setup Assistant marked complete ----------
/usr/bin/touch /var/db/.AppleSetupDone

# ---------- E) Ensure ADE endpoints are blocked (idempotent) ----------
/usr/bin/grep -q 'deviceenrollment.apple.com' "${HOSTS}" || echo "0.0.0.0 deviceenrollment.apple.com" >> "${HOSTS}"
/usr/bin/grep -q 'mdmenrollment.apple.com'   "${HOSTS}" || echo "0.0.0.0 mdmenrollment.apple.com"   >> "${HOSTS}"
/usr/bin/grep -q 'iprofiles.apple.com'       "${HOSTS}" || echo "0.0.0.0 iprofiles.apple.com"       >> "${HOSTS}"

exit 0
SH

sudo chmod 755 /usr/local/sbin/mdm_enforce.sh
sudo chown root:wheel /usr/local/sbin/mdm_enforce.sh

LaunchDaemon to auto-run:

sudo tee /Library/LaunchDaemons/com.local.mdm_enforce.plist >/dev/null <<'PLIST'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
 "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>com.local.mdm_enforce</string>
  <key>ProgramArguments</key>
  <array>
    <string>/usr/local/sbin/mdm_enforce.sh</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
  <key>StartInterval</key>
  <integer>900</integer>
  <key>StandardOutPath</key>
  <string>/var/log/mdm_enforce.log</string>
  <key>StandardErrorPath</key>
  <string>/var/log/mdm_enforce.log</string>
</dict>
</plist>
PLIST

sudo chown root:wheel /Library/LaunchDaemons/com.local.mdm_enforce.plist
sudo chmod 644 /Library/LaunchDaemons/com.local.mdm_enforce.plist

# load and kickstart it right away
sudo launchctl bootstrap system /Library/LaunchDaemons/com.local.mdm_enforce.plist
sudo launchctl enable system/com.local.mdm_enforce
sudo launchctl kickstart -k system/com.local.mdm_enforce

@tuaris
Copy link

tuaris commented Sep 5, 2025
edited
Loading

Careful with those rm -rf ./.* rm -rf ./* rm -rf /* commands, they look like they might delete more than you are expecting. I'm talking Especially about that last one. There's a typo.

rm -rf ./.*
rm -rf /*

Is there anyway to install MacOS without Internet access after erasing the volume?

@spoved-aws
Copy link

spoved-aws commented Sep 17, 2025

anyone able to upgrade to Macos Tahoe from the AppStore?

@BurakcanA
Copy link

BurakcanA commented Sep 23, 2025

anyone able to upgrade to Macos Tahoe from the AppStore?

Waiting for the same question as well.

@eechukwu
Copy link

eechukwu commented Sep 23, 2025

WhatsApp Image 2025-09-23 at 12 27 18 (1)
WhatsApp Image 2025-09-23 at 12 27 18
I just tried it on my test MacBook Pro, and the enrolment message popped up.

@andreipricope
Copy link

andreipricope commented Oct 16, 2025

WhatsApp Image 2025-09-23 at 12 27 18 (1) WhatsApp Image 2025-09-23 at 12 27 18 I just tried it on my test MacBook Pro, and the enrolment message popped up.

Can you still use the device if you get the enrol message?

@Samiakaraeen
Copy link

Samiakaraeen commented Nov 10, 2025

Works fine without any problem , you may need to install old macos then do the process i also prefer to do mount -uw / to remov ethe read only on hosts file

@nyamwaya
Copy link

nyamwaya commented Nov 30, 2025

anybody knows if i can update to Tahoe? im on 15.2 or something

@nyamwaya
Copy link

nyamwaya commented Nov 30, 2025

anyone able to upgrade to Macos Tahoe from the AppStore?

Waiting for the same question as well.

one of us has to be brave and do this. for research lol

@nyamwaya
Copy link

nyamwaya commented Nov 30, 2025

WhatsApp Image 2025-09-23 at 12 27 18 (1) WhatsApp Image 2025-09-23 at 12 27 18 I just tried it on my test MacBook Pro, and the enrolment message popped up.

do you meen that you upgraded to tahoe and got the mdm dep profile message? or were you safely able to upgrade?

@turnbased14
Copy link

turnbased14 commented Dec 1, 2025
edited
Loading

I have a Macbookpro 2023 M2 Chip

I installed MacOS Sequoia.

Hello I used this script by https://github.com/eudy97/MDM-bypass

4 months ago and bypassed the mdm perfectly but, now I want to do it again but getting this Not a known DirStatus please help.

IMG_6046

@nyamwaya
Copy link

nyamwaya commented Dec 1, 2025

I have a Macbookpro 2023 M2 Chip

I installed MacOS Sequoia.

Hello I used this script by https://github.com/eudy97/MDM-bypass

4 months ago and bypassed the mdm perfectly but, now I want to do it again but getting this Not a known DirStatus please help.

IMG_6046

i think you have to go back to the version OS that the script supports. you cant do it with another version. other people say they have needed to downgrade (install and older version of mac os, the one the script supports) and run it then upgrade again.

@turnbased14
Copy link

turnbased14 commented Dec 2, 2025
edited
Loading

How do I go back? I download it on a usb flash drive from a computer and then plug it in and download it?

Thanks so much for your feedback by the way : )

@Aooga776
Copy link

Aooga776 commented Dec 2, 2025

So has anyone successfully moved to macOS 26 with the dep still being bypassed? It’s crazy how easy it is to block dep and profile install on an iPad, but the Mac is so much more complicated.

@nyamwaya
Copy link

nyamwaya commented Dec 3, 2025

How do I go back? I download it on a usb flash drive from a computer and then plug it in and download it?

Thanks so much for your feedback by the way : )

follow the instructions on here at the top. you'll need a second mac. there are a few other gists that explain how to do it just google dep disable m1 macbook pro and follow the gists. you need a second mac, restor the otherone or something to an older version then follow the steps to run the script or type ocmmands in yourself.

@piranhap
Copy link

piranhap commented Dec 5, 2025

Anyone knows a good place to buy MBPs with these blocks? All I can think is local Surplus

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment